Ransom-ware has been found in malicious adverts displayed by major news and high-traffic websites.

As first reported by Trustwave, and confirmed by several other security firms, these and other sites—including AOL, MSN, Answers.com, ZeroHedge.com, and Infolinks.com—were hit by malicious ads served up by once-legitimate networks that were taken over by scammers.

“It seems that an experienced actor has acquired an expired domain of a small but probably legitimate advertising company in order to utilize [it] for malicious purposes,” according to Trustwave, which said the Angler exploit kit is to blame.

It turns out several high-profile sites were retrieving a JSON file as they normally would to pull advertising content from providers. But that included a “suspicious, heavily obfuscated JavaScript file with more than 12,000 lines of code” that worked to obscure malicious intent. “Upon successful exploitation, Angler infects the poor victim with both the Bedep trojan and the TeslaCrypt ransomware – double the trouble,” Trustwave said.

“It’s important to note,” Trust-wave said, “that while these popular sites are involved in the infection process,” they are still victims of malvertising. “The only ‘crime’ here is being popular and having high volumes of traffic going through their sites daily.”

This attack points to a larger trend in malvertising: the stalking of domains that are nearing their expiration date—in this case, those containing the word “media.” According to the BBC, the domain exploited in this case fell into the hackers’ hands in January.

“Users and organizations are advised to make sure that [they] keep their applications and systems up-to-date with the latest security patches; Angler Exploit Kit is known to exploit vulnerabilities in Adobe Flash and Microsoft Silver-light, among others,” Trend Micro said in a blog post.

Trend Micro “is already able to protect users against this threat,” while Malwarebytes said its “Anti-Exploit blocks the malvertising attack when it launches the exploit kit.”